Executive summary

Samba in Fedora 18+ cannot yet be used for AD DC configuration

Supported setups in current Fedora releases starting with Fedora 18

General

We don't support deprecated options from Samba earlier than 4.0 if there are replacements for them. Please migrate to new options. Feel free to ask about correct config files in general samba mailing lists because these are not specific to Fedora.

Client

We support all winbind setups especially having a Linux client joined to an Active Directory domain. (We don't plan to have client GPO support yet). This includes all tools needed to get information out of a Domain like wbinfo, joining and managing accounts with the 'net' command and pam_winbind for logging in.

We also support Samba as a NT4 domain member for existing installations (security = domain)

Client libraries

The following libraries are supported: libsmbclient, libsmbsharemodes, libnetapi and libwbclient. They are needed by Desktop Environments or Display Managers for logging in.

Also for user login: libnss_winbind.so, libnss_wins.so and pam_winbind.so.

Server modes

security mode userFile servers in security mode user are fully supported and will be in future.

security mode shareTHIS IS DEPRECATED!!! Please move to security mode user for current configurations. This feature is really old and shouldn't be used anymore. It has been already removed in Samba 4.0.

security mode serverTHIS IS DEPRECATED!!! Please move to security mode user for current configurations. It has been already removed in Samba 4.0.

security mode adsWe only support configurations where winbind is running. smbd without winbind is unsupported.

Trusts

net rpc trustdomSamba can be used as a PDC that can establish trusted relationships with AD

FreeIPA AD trustsSamba is used as a PDC within FreeIPA configuration to provide minimal AD-like setup that can be trusted by existing Microsoft Active Directory implementation

Please also note that Samba AD DC configurations, whether it hosted on other platforms or your own compiled version, do not currently support forest level trusts to another Active Directory-compatible setup. Thus, they cannot be used to establish trust with FreeIPA deployments yet.

Printing

We fully support Samba as a print server with cups and lprng backend.

LDAP integration

Configuring Samba PDC with ldapsam PASSDB module is supported. However, use of smbldap-tools is unsupported. As we don't package them, if you can prove that it is a samba issue (providing logs, backtraces, reproducer) we are fine fixing Samba-specific issues.

Samba DCE libraries

Every Samba library used by Fedora packages is supported. External usage is not supported if it is not explicitly stated below. We support libraries used by openchangeevolution-mapi, FreeIPA and SSSD.
Additionally we support all public libraries of the samba-libs package.

Progress since Fedora 18

Unified Samba package set is provided. Each package is prefixed with samba-. There are no separate samba-package and samba4-package package sets anymore.

Samba 4.x is built with MIT Kerberos for Samba server modes outlined above.

Work has started Samba upstream on bringing newer embedded Heimdal build to Samba so that there is less difference between MIT Kerberos and Heimdal APIs. Once this done, we'll be able to gradually extend parts of Samba AD DC to turn on.

Work is being done on allowing use of MIT Kerberos KDC instead of embedded Heimdal KDC within Samba AD DC. This will be done with the help of CWrap project which provides preloading libraries to divert certain networking and identity-related functions to separate processes. Original versions of these libraries are used within Samba to perform functional tests of whole Samba suite.

Work has started to extend Samba AD DC to allow forest trust setup with another forests.